csrf

常见的攻击手段--CSRF

自闭症网瘾萝莉.ら 提交于 2019-12-07 14:41:46
假设某银行网站A,他以GET请求来发起转账操作,转账的地址为www.xxx.com/transfer.do? accountNum=10001&money=10000,accountNum参数表示转账的目的账户,money参数表 示转账金额。 而某大型论坛B上,一个恶意用户上传了一张图片,而图片的地址栏中填的并不是图片的地 址,而是前面所说的转账地址: <img src= "http://www.xxx.com/transfer.do?accountNum=10001&money=10000" > 当你登陆网站A后,没有及时登出,这个时候你访问了论坛B,不幸的事情发生了,你会发 现你的账户里面少了10000块…… 为什么会这样呢,在你登陆银行A的时候,你的浏览器端会生成银行A的cookie,而当你访 问论坛B的时候,页面上的<img>标签需要浏览器发起一个新的HTTP请求,以获得图片资源, 当浏览器发起请求的时候,请求的却是银行A的转账地址www.xxx.com/transfer.do?accoun tNum=10001&money=10000,并且会带上银行A的cookie信息,结果银行的服务器收到这 个请求后,会认为是你发起的一次转账操作,因此你的账户里边便少了10000块。 常见的攻击手段—CSRF的防御 1.cookie设置为HttpOnly

pass csrf token to blueimp fileupload

风格不统一 提交于 2019-12-07 14:24:58
问题 I'm building a SPA (Single Page Application) using AngularJS, and for FileUpload I'm trying to use Blueimp File Upload. Server side is in NodeJS, using csrf so all requests would be sent to the server with csrf token (X-XSRF-TOKEN set by AngularJS). Now when I'm trying to upload the file using Blueimp it fails with "Error: invalid csrf token" as it dint attach the necessary token in the request, now I'm wondering on how to set the token. Please note that I'm already using AngularJS, and I

Local React Frontend, Django REST Framework Backend (Trouble accessing CSRF cookie under CORS)

[亡魂溺海] 提交于 2019-12-07 13:08:59
问题 I'm creating a web app with a React frontend and Django REST Framework backend. Due to some circumstances, I have to develop the React frontend locally while the backend server is at a remote location. The backend server requires me to use the CSRF token for every POST after login, and I'm supposed to be able to retrieve the csrftoken from the cookie that the backend sends. I've verified that the cookie does get sent over the network and is included in the response headers in the form of: Set

L5 random TokenMismatchExceptions

与世无争的帅哥 提交于 2019-12-07 12:01:23
问题 I'm getting random TokenMismatchExceptions in Laravel 5. Using the following code in the tokensMatch() function I've been trying to debug this weird issue: Log::debug($request->session()->token(). ', ' . $token); The output is as follows: [2015-03-21 17:04:22] local.DEBUG: XJhAXXQumM0JLX9tFcQn1tQZMI1FtglDFuhi8abT, XJhAXXQumM0JLX9tFcQn1tQZMI1FtglDFuhi8abT [2015-03-21 17:04:34] local.DEBUG: XJhAXXQumM0JLX9tFcQn1tQZMI1FtglDFuhi8abT, XJhAXXQumM0JLX9tFcQn1tQZMI1FtglDFuhi8abT [2015-03-21 17:04:36]

When its Necessary to Protect Forms with Token (CSRF attacks)?

∥☆過路亽.° 提交于 2019-12-07 10:15:38
问题 As much as I understand, web developer should create token and put it in hidden field of form to prevent CSRF attacks. Also, he should save the same token in a session and then, when form is submitted - check that tokens are equal. I came to question... is it necessary to do this technique for all forms? I mean, imagine form that is created to sign-in. I can't see any harm done to site and/or user if there is no CSRF protection, because user have no privileges (like he would have if he would

How set up headers in ajax POST request to include CSRF token

喜夏-厌秋 提交于 2019-12-07 09:09:28
Help set up headers to get rid of that error message: "Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'." HTML: <meta name="_csrf" th:content="${_csrf.token}"/> <meta name="_csrf_header" th:content="${_csrf.headerName}"/> My JS code: var recipe = getRecipe(); var token = $("meta[name='_csrf']").attr("content"); var header = $("meta[name='_csrf_header']").attr("content"); console.log(token); console.log(header); console.log(recipe); var headers = {}; // How set up header for include CSRF-Token $.ajax({ url: "/recipe", type: "POST", dataType: "json",

HTTP 403 while executing a PUT request

孤者浪人 提交于 2019-12-07 07:13:24
I am creating a django rest api, and I'm trying to send JSON data via PUT request from an Android device, using HttpUrlConnection. URL url = new URL(myurl); conn = (HttpURLConnection) url.openConnection(); conn.setReadTimeout(10000 /* milliseconds */); conn.setConnectTimeout(15000 /* milliseconds */); conn.setRequestMethod("PUT"); conn.setDoInput(true); conn.setDoOutput(true); conn.setRequestProperty("Content-Type", "application/json; charset=UTF-8"); conn.setRequestProperty("Accept", "application/json"); Log.v("Apiput", MainActivity.cookieManager.getCookieStore().getCookies().get(0).toString(

Is the {% csrf_token %} CSRF protection tag still necessary in Django 1.2?

若如初见. 提交于 2019-12-07 06:24:33
问题 I am testing the CSRF protection on my site and I have noticed something unexpected. I removed {% csrf_token %} from my form and the submission still works. I couldn't work out why. I then looked at the source and realised the token was still there right next to the <form> element. I changed the ID of the form to make sure it was definitely updating the source and it was but the hidden input is still there. I am using Django 1.2. Is {% csrf_token %} still necessary? Cheers Rich 回答1: After

Set config item (csrf) doesnt work in Codeigniter

自作多情 提交于 2019-12-07 04:58:40
问题 I want to turn ON csrf protection only in a few of my controllers, so I have function __construct() { parent::__construct(); $this->load->library('form_validation'); $this->load->library('tank_auth'); $this->load->helper(array('form', 'url')); $this->load->model('user_model', '', true); $this->config->set_item('csrf_protection', TRUE); } But it doesn't seem to work, although when I do var_dump($this->config) on a page it shows that csrf_protection is TRUE, but the cookies are not set and the

Getting 403 error when using CSRF filter with tomcat 6.0.32

流过昼夜 提交于 2019-12-07 04:50:19
问题 This is my filer config in web.xml <filter> <filter-name>CSRFPreventionFilter</filter-name> <filter-class>org.apache.catalina.filters.CsrfPreventionFilter</filter-class> <init-param> <param-name>entryPoints</param-name> <param-value>/login<param-value> </init-param> </filter> <filter-mapping> <filter-name>CSRFPreventionFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> <filter> Am I missing something? Are any code-changes necessary to enable csrf protection in tomcat 回答1:
订阅 csrf